Differential D5517

Instead of restricting over which domains we can access services, we restrict over which we cannot (the public ones).
AbandonedPublic
Actions

Authored by mollekopf on Jul 28 2025, 11:43 AM.

Project Tags

None

Referenced Files

None

Subscribers

machniak

Details

Reviewers

None

Group Reviewers

Restricted Project

Summary

When prometheus scrapes over discovered pod ip's we have ip's as hosts,
which we can't whitelist, so we need the inverse.

Diff Detail

Repository

rK kolab

Lint

Lint Skipped

Unit

No Test Coverage

Build Status

Buildable 54747
Build 19473: arc lint + arc unit

Event Timeline

mollekopf requested review of this revision.Jul 28 2025, 11:43 AM

mollekopf created this revision.

Harbormaster completed remote builds in B54747: Diff 15822.Jul 28 2025, 11:43 AM

Required for the swoole metrics scraping.

This is kinda mess. Maybe a better approach would be to just check that the request comes from the "internal" location? E.g. by having list of IP networks (or IPs). But that potentially may be more complicated. Another possibility, a "client secret", but this probably would be event more problematic.

In D5517#72273, @machniak wrote:

This is kinda mess. Maybe a better approach would be to just check that the request comes from the "internal" location? E.g. by having list of IP networks (or IPs). But that potentially may be more complicated. Another possibility, a "client secret", but this probably would be event more problematic.

Whitelisting Ip subnets is a mess too and requires extra attention for every deployment to make sure the subnets match. The questions is how to detect an "internal" location. So far we reserved a hostname for the internal location, and block everything else. My proposal is to block the external location, and allow everything else (assume it's internal).
Either way, we currently delegate the access control externally, since something needs to make sure that you can't just send a request with a spoofed host header.

FWIW, this is currently required for the swoole metrics only. The reason is that for the swoole metrics we don't scrape the service (one of the pods), but each individual pod.

I can see the following potential solutions:

Expose the kolab pods with dedicated services (kolab-1 to kolab-N), which can then be enumerated in AllowedHosts, respectively we could do a regex check on the hostname (because the number of pods can be dynamic). This seems relatively complex on the Kubernetes side but should be doable in principle.
Whitelist the ip subnet that kubernetes happens to use (might also be discoverable when the pod starts)
Switch to the proposed blacklist solution, where we blacklist the one exposed domain, and allow everything else.
use some form of authentication (token, ... ). We could for instance add basic auth to the scrape target.

Perhaps whitelisting the ip subnet wouldn't be so bad if we can detect it during pod start... I'll have a look.

mollekopf planned changes to this revision.Aug 8 2025, 2:43 PM